[jacques_chester]

I disagree.

At best the users who don't care will continue not to care. At worst it will train users to think "oh, it's another drill, ho hum".

Somewhere in the middle is some deeply embarrassed Deputy Vice Chancellor who decides to make those horrid computer people his personal enemies.

[raldi]

> At worst it will train users to think "oh, it's another drill, ho hum".

How is that a bad outcome? Whether they think it's phishing or a drill, the important thing is that they don't enter their credentials.

[marios]

It's bad if users are trained to only recognize _your_ phishing attempts :-)

I'm not sure I understand which users jacques_chester is talking about. There are users that can recognize phishing, and they are entitled not to care about your teaching. And then there are those that can't recognize phishing - or perhaps don't even know about it - but I'm pretty sure any user would start caring when they find out someone else can gain access to their email/bank/facebook/whatever online service they use if they aren't careful.

To avoid training users into thinking it's another drill, perhaps it's a good idea to 'attack' them at random intervals, and wait a few months before repeating (thus giving you enough time to prepare the new attack; giving the users enough time to forget about the threat, and to account for new arrivals).

I'd rather be embarrassed by the local BOFH, rather than be a real victim

[iopq]

Just block the users you phish successfully and tell them their account has been hacked. Then they'll care.